actionpack 4.0.3 → 4.0.4.rc1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (41) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +178 -0
  3. data/lib/action_controller/base.rb +1 -1
  4. data/lib/action_controller/metal/params_wrapper.rb +11 -4
  5. data/lib/action_controller/metal/redirecting.rb +1 -1
  6. data/lib/action_controller/metal/request_forgery_protection.rb +3 -0
  7. data/lib/action_controller/metal/responder.rb +1 -1
  8. data/lib/action_controller/metal/strong_parameters.rb +27 -8
  9. data/lib/action_controller/test_case.rb +3 -0
  10. data/lib/action_dispatch.rb +0 -1
  11. data/lib/action_dispatch/http/mime_negotiation.rb +1 -1
  12. data/lib/action_dispatch/http/mime_type.rb +4 -1
  13. data/lib/action_dispatch/journey/formatter.rb +2 -2
  14. data/lib/action_dispatch/journey/visitors.rb +24 -4
  15. data/lib/action_dispatch/middleware/cookies.rb +7 -7
  16. data/lib/action_dispatch/middleware/exception_wrapper.rb +1 -1
  17. data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
  18. data/lib/action_dispatch/middleware/static.rb +3 -3
  19. data/lib/action_dispatch/routing/inspector.rb +6 -5
  20. data/lib/action_dispatch/routing/mapper.rb +57 -33
  21. data/lib/action_dispatch/routing/redirection.rb +18 -8
  22. data/lib/action_dispatch/routing/route_set.rb +26 -32
  23. data/lib/action_pack/version.rb +1 -1
  24. data/lib/action_view/helpers/asset_tag_helper.rb +2 -2
  25. data/lib/action_view/helpers/atom_feed_helper.rb +1 -1
  26. data/lib/action_view/helpers/csrf_helper.rb +4 -2
  27. data/lib/action_view/helpers/date_helper.rb +7 -3
  28. data/lib/action_view/helpers/form_helper.rb +2 -2
  29. data/lib/action_view/helpers/form_options_helper.rb +1 -1
  30. data/lib/action_view/helpers/form_tag_helper.rb +1 -1
  31. data/lib/action_view/helpers/number_helper.rb +4 -4
  32. data/lib/action_view/helpers/tag_helper.rb +1 -1
  33. data/lib/action_view/helpers/tags/collection_helpers.rb +1 -1
  34. data/lib/action_view/helpers/tags/label.rb +1 -2
  35. data/lib/action_view/helpers/text_helper.rb +6 -1
  36. data/lib/action_view/helpers/translation_helper.rb +9 -1
  37. data/lib/action_view/helpers/url_helper.rb +1 -1
  38. data/lib/action_view/template.rb +2 -2
  39. data/lib/action_view/template/error.rb +2 -2
  40. data/lib/action_view/template/text.rb +1 -1
  41. metadata +9 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 88bdd4990a97dcad1337f5538672cf2ba466bc9e
4
- data.tar.gz: 5c5e247912af700ec1d6cfe4a46d6fd123d6d2c9
3
+ metadata.gz: 3b4c750612bd5a8cdff3e5d2d1fdebb223ff0722
4
+ data.tar.gz: f9d86118539be440b17fc08301300003f877425e
5
5
  SHA512:
6
- metadata.gz: 24449d94d5ae99d1571a69d0c39459c07c88effd7614c1f368bb359688aec13f492e0b42fe4d8cf924d6879d5a309261567e6f2019d5b34a60fbcf2637877b50
7
- data.tar.gz: e81f58104713eb4cecddc46b0903bbf436a19e7bd40c347311ba1fdce6f7a4f30d6cb62ddc92cbb9b9e8550693c172c29846f1fa5ee9ed5dc5aafd741ad2af59
6
+ metadata.gz: 0e07cef37e94e404063ff892491a75489d99b0a264a2826c7a7ae74cdb78d76ce465e199c9177b1c840d650bbe0ad36d89aa5a409e7352683597f721997690d9
7
+ data.tar.gz: b97cffd76fb157bdef3492d70718dbc527c73d5c028c03e2e0e62cf79f148266a17fe34c357640873b1392ec2ab20e1a37e423e0ba99d95c568d8a7d1ec3bebc
@@ -1,7 +1,185 @@
1
+ ## Rails 4.0.4 ##
2
+
3
+ * Fix label translation for more than 10 nested elements.
4
+
5
+ *Vladimir Krylov*
6
+
7
+ * Use a custom route visitor for optimized url generation. Fixes #13349.
8
+
9
+ *Andrew White*
10
+
11
+ * Set the `:shallow_path` scope option as each scope is generated rather than
12
+ waiting until the `shallow` option is set. Also make the behavior of the
13
+ `:shallow` resource option consistent with the behavior of the `shallow` method.
14
+
15
+ Fixes #12498.
16
+
17
+ *Andrew White*, *Aleksi Aalto*
18
+
19
+ * Do not discard query parameters that form a hash with the same root key as
20
+ the `wrapper_key` for a request using `wrap_parameters`.
21
+
22
+ *Josh Jordan*
23
+
24
+ * Ensure that `request.filtered_parameters` is reset between calls to `process`
25
+ in `ActionController::TestCase`.
26
+
27
+ Fixes #13803.
28
+
29
+ *Andrew White*
30
+
31
+ * Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
32
+
33
+ Fixes #13810.
34
+
35
+ *Maurizio De Santis*
36
+
37
+ * Unique the segment keys array for non-optimized url helpers
38
+
39
+ In Rails 3.2 you only needed pass an argument for dynamic segment once so
40
+ unique the segment keys array to match the number of args. Since the number
41
+ of args is less than required parts the non-optimized code path is selected.
42
+ This means to benefit from optimized url generation the arg needs to be
43
+ specified as many times as it appears in the path.
44
+
45
+ Fixes #12808.
46
+
47
+ *Andrew White*
48
+
49
+ * Show full route constraints in error message
50
+
51
+ When an optimized helper fails to generate, show the full route constraints
52
+ in the error message. Previously it would only show the contraints that were
53
+ required as part of the path.
54
+
55
+ Fixes #13592.
56
+
57
+ *Andrew White*
58
+
59
+ * Allow engine root relative redirects using an empty string.
60
+
61
+ Example:
62
+
63
+ # application routes.rb
64
+ mount BlogEngine => '/blog'
65
+
66
+ # engine routes.rb
67
+ get '/welcome' => redirect('')
68
+
69
+ This now redirects to the path `/blog`, whereas before it would redirect
70
+ to the application root path. In the case of a path redirect or a custom
71
+ redirect if the path returned contains a host then the path is treated as
72
+ absolute. Similarly for option redirects, if the options hash returned
73
+ contains a `:host` or `:domain` key then the path is treated as absolute.
74
+
75
+ Fixes #7977.
76
+
77
+ *Andrew White*
78
+
79
+ * Fix `Encoding::CompatibilityError` when public path is UTF-8
80
+
81
+ In #5337 we forced the path encoding to ASCII-8BIT to prevent static file handling
82
+ from blowing up before an application has had chance to deal with possibly invalid
83
+ urls. However this has a negative side effect of making it an incompatible encoding
84
+ if the application's public path has UTF-8 characters in it.
85
+
86
+ To work around the problem we check to see if the path has a valid encoding once
87
+ it has been unescaped. If it is not valid then we can return early since it will
88
+ not match any file anyway.
89
+
90
+ Fixes #13518.
91
+
92
+ *Andrew White*
93
+
94
+ * `ActionController::Parameters#permit!` permits hashes in array values.
95
+
96
+ *Xavier Noria*
97
+
98
+ * Converts hashes in arrays of unfiltered params to unpermitted params.
99
+
100
+ Fixes #13382.
101
+
102
+ *Xavier Noria*
103
+
104
+ * `rake routes` shows routes defined under assets prefix.
105
+
106
+ *Ryunosuke SATO*
107
+
108
+ * Label tags generated by collection helpers only inherit the `:index` and
109
+ `:namespace` from the input, because only these attributes modifies the
110
+ `for` attribute of the label. Also, the input attributes don't have
111
+ precedence over the label attributes anymore.
112
+
113
+ Before:
114
+
115
+ collection = [[1, true, { class: 'foo' }]]
116
+ f.collection_check_boxes :options, collection, :second, :first do |b|
117
+ b.label(class: 'my_custom_class')
118
+ end
119
+
120
+ # => <label class="foo" for="user_active_true">1</label>
121
+
122
+ After:
123
+
124
+ collection = [[1, true, { class: 'foo' }]]
125
+ f.collection_check_boxes :options, collection, :second, :first do |b|
126
+ b.label(class: 'my_custom_class')
127
+ end
128
+
129
+ # => <label class="my_custom_class" for="user_active_true">1</label>
130
+
131
+ *Andriel Nuernberg*
132
+
133
+ * Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
134
+ `options[:raise]`.
135
+
136
+ This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
137
+
138
+ *Shota Fukumori (sora_h)*
139
+
140
+ * Fix render of localized templates without an explicit format using wrong
141
+ content header and not passing correct formats to template due to the
142
+ introduction of the `NullType` for mimes.
143
+
144
+ Templates like `hello.it.erb` were subject to this issue.
145
+
146
+ Fixes #13064.
147
+
148
+ *Angelo Capilleri*, *Carlos Antonio da Silva*
149
+
150
+ * Fix regression with `simple_format` not having access to the `raw` method
151
+ when included in isolation, introduced with the security fix in Rails 4.0.2.
152
+
153
+ *Mario Visic*
154
+
155
+ * Fix formatting for `rake routes` when a section is shorter than a header.
156
+
157
+ *Sıtkı Bağdat*
158
+
159
+ * Use `set_backtrace` instead of instance variable `@backtrace` in ActionView exceptions.
160
+
161
+ *Shimpei Makimoto*
162
+
163
+ * Fix `simple_format` escapes own output when passing `sanitize: true`.
164
+
165
+ *Paul Seidemann*
166
+
167
+ * Don't let strong parameters mutate the given hash via `fetch`.
168
+
169
+ Create a new instance if the given parameter is a `Hash` instead of
170
+ passing it to the `convert_hashes_to_parameters` method since it is
171
+ overriding its default value.
172
+
173
+ *Brendon Murphy*, *Doug Cole*
174
+
175
+
176
+ ## Rails 4.0.3 (February 18, 2014) ##
177
+
1
178
  * Escape format, negative_format and units options of number helpers
2
179
 
3
180
  Fixes: CVE-2014-0081
4
181
 
182
+
5
183
  ## Rails 4.0.2 (December 02, 2013) ##
6
184
 
7
185
  * Ensure simple_format escapes its html attributes. This fixes CVE-2013-6416
@@ -85,7 +85,7 @@ module ActionController
85
85
  # or you can remove the entire session with +reset_session+.
86
86
  #
87
87
  # Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
88
- # This prevents the user from tampering with the session but also allows him to see its contents.
88
+ # This prevents the user from tampering with the session but also allows them to see its contents.
89
89
  #
90
90
  # Do not put secret information in cookie-based sessions!
91
91
  #
@@ -231,7 +231,12 @@ module ActionController
231
231
  # by the metal call stack.
232
232
  def process_action(*args)
233
233
  if _wrapper_enabled?
234
- wrapped_hash = _wrap_parameters request.request_parameters
234
+ if request.parameters[_wrapper_key].present?
235
+ wrapped_hash = _extract_parameters(request.parameters)
236
+ else
237
+ wrapped_hash = _wrap_parameters request.request_parameters
238
+ end
239
+
235
240
  wrapped_keys = request.request_parameters.keys
236
241
  wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
237
242
 
@@ -259,14 +264,16 @@ module ActionController
259
264
 
260
265
  # Returns the list of parameters which will be selected for wrapped.
261
266
  def _wrap_parameters(parameters)
262
- value = if include_only = _wrapper_options.include
267
+ { _wrapper_key => _extract_parameters(parameters) }
268
+ end
269
+
270
+ def _extract_parameters(parameters)
271
+ if include_only = _wrapper_options.include
263
272
  parameters.slice(*include_only)
264
273
  else
265
274
  exclude = _wrapper_options.exclude || []
266
275
  parameters.except(*(exclude + EXCLUDE_PARAMETERS))
267
276
  end
268
-
269
- { _wrapper_key => value }
270
277
  end
271
278
 
272
279
  # Checks if we should perform parameters wrapping.
@@ -58,7 +58,7 @@ module ActionController
58
58
  # redirect_to post_url(@post), alert: "Watch it, mister!"
59
59
  # redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
60
60
  # redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
61
- # redirect_to { action: 'atom' }, alert: "Something serious happened"
61
+ # redirect_to({ action: 'atom' }, alert: "Something serious happened")
62
62
  #
63
63
  # When using <tt>redirect_to :back</tt>, if there is no referrer, ActionController::RedirectBackError will be raised. You may specify some fallback
64
64
  # behavior for this case by rescuing ActionController::RedirectBackError.
@@ -124,6 +124,9 @@ module ActionController #:nodoc:
124
124
  @loaded = true
125
125
  end
126
126
 
127
+ # no-op
128
+ def destroy; end
129
+
127
130
  def exists?
128
131
  true
129
132
  end
@@ -140,7 +140,7 @@ module ActionController #:nodoc:
140
140
  undef_method(:to_json) if method_defined?(:to_json)
141
141
  undef_method(:to_yaml) if method_defined?(:to_yaml)
142
142
 
143
- # Initializes a new responder an invoke the proper format. If the format is
143
+ # Initializes a new responder and invokes the proper format. If the format is
144
144
  # not defined, call to_format.
145
145
  #
146
146
  def self.call(*args)
@@ -3,6 +3,7 @@ require 'active_support/core_ext/array/wrap'
3
3
  require 'active_support/rescuable'
4
4
  require 'action_dispatch/http/upload'
5
5
  require 'stringio'
6
+ require 'set'
6
7
 
7
8
  module ActionController
8
9
  # Raised when a required parameter is missing.
@@ -17,7 +18,7 @@ module ActionController
17
18
 
18
19
  def initialize(param) # :nodoc:
19
20
  @param = param
20
- super("param not found: #{param}")
21
+ super("param is missing or the value is empty: #{param}")
21
22
  end
22
23
  end
23
24
 
@@ -125,6 +126,13 @@ module ActionController
125
126
  @permitted = self.class.permit_all_parameters
126
127
  end
127
128
 
129
+ # Attribute that keeps track of converted arrays, if any, to avoid double
130
+ # looping in the common use case permit + mass-assignment. Defined in a
131
+ # method to instantiate it only if needed.
132
+ def converted_arrays
133
+ @converted_arrays ||= Set.new
134
+ end
135
+
128
136
  # Returns +true+ if the parameter is permitted, +false+ otherwise.
129
137
  #
130
138
  # params = ActionController::Parameters.new
@@ -149,8 +157,10 @@ module ActionController
149
157
  # Person.new(params) # => #<Person id: nil, name: "Francesco">
150
158
  def permit!
151
159
  each_pair do |key, value|
152
- convert_hashes_to_parameters(key, value)
153
- self[key].permit! if self[key].respond_to? :permit!
160
+ value = convert_hashes_to_parameters(key, value)
161
+ Array.wrap(value).each do |_|
162
+ _.permit! if _.respond_to? :permit!
163
+ end
154
164
  end
155
165
 
156
166
  @permitted = true
@@ -284,7 +294,7 @@ module ActionController
284
294
  # params.fetch(:none, 'Francesco') # => "Francesco"
285
295
  # params.fetch(:none) { 'Francesco' } # => "Francesco"
286
296
  def fetch(key, *args)
287
- convert_hashes_to_parameters(key, super)
297
+ convert_hashes_to_parameters(key, super, false)
288
298
  rescue KeyError
289
299
  raise ActionController::ParameterMissing.new(key)
290
300
  end
@@ -317,12 +327,21 @@ module ActionController
317
327
  end
318
328
 
319
329
  private
320
- def convert_hashes_to_parameters(key, value)
321
- if value.is_a?(Parameters) || !value.is_a?(Hash)
330
+ def convert_hashes_to_parameters(key, value, assign_if_converted=true)
331
+ converted = convert_value_to_parameters(value)
332
+ self[key] = converted if assign_if_converted && !converted.equal?(value)
333
+ converted
334
+ end
335
+
336
+ def convert_value_to_parameters(value)
337
+ if value.is_a?(Array) && !converted_arrays.member?(value)
338
+ converted = value.map { |_| convert_value_to_parameters(_) }
339
+ converted_arrays << converted
340
+ converted
341
+ elsif value.is_a?(Parameters) || !value.is_a?(Hash)
322
342
  value
323
343
  else
324
- # Convert to Parameters on first access
325
- self[key] = self.class.new(value)
344
+ self.class.new(value)
326
345
  end
327
346
  end
328
347
 
@@ -213,6 +213,9 @@ module ActionController
213
213
  # Clear the combined params hash in case it was already referenced.
214
214
  @env.delete("action_dispatch.request.parameters")
215
215
 
216
+ # Clear the filter cache variables so they're not stale
217
+ @filtered_parameters = @filtered_env = @filtered_path = nil
218
+
216
219
  params = self.request_parameters.dup
217
220
  %w(controller action only_path).each do |k|
218
221
  params.delete(k)
@@ -52,7 +52,6 @@ module ActionDispatch
52
52
  autoload :DebugExceptions
53
53
  autoload :ExceptionWrapper
54
54
  autoload :Flash
55
- autoload :Head
56
55
  autoload :ParamsParser
57
56
  autoload :PublicExceptions
58
57
  autoload :Reloader
@@ -48,7 +48,7 @@ module ActionDispatch
48
48
  # GET /posts/5 | request.format => Mime::HTML or MIME::JS, or request.accepts.first
49
49
  #
50
50
  def format(view_path = [])
51
- formats.first
51
+ formats.first || Mime::NullType.instance
52
52
  end
53
53
 
54
54
  def formats
@@ -1,4 +1,5 @@
1
1
  require 'set'
2
+ require 'singleton'
2
3
  require 'active_support/core_ext/class/attribute_accessors'
3
4
  require 'active_support/core_ext/string/starts_ends_with'
4
5
 
@@ -27,7 +28,7 @@ module Mime
27
28
  class << self
28
29
  def [](type)
29
30
  return type if type.is_a?(Type)
30
- Type.lookup_by_extension(type) || NullType.new
31
+ Type.lookup_by_extension(type)
31
32
  end
32
33
 
33
34
  def fetch(type)
@@ -308,6 +309,8 @@ module Mime
308
309
  end
309
310
 
310
311
  class NullType
312
+ include Singleton
313
+
311
314
  def nil?
312
315
  true
313
316
  end
@@ -33,8 +33,8 @@ module ActionDispatch
33
33
  return [route.format(parameterized_parts), params]
34
34
  end
35
35
 
36
- message = "No route matches #{constraints.inspect}"
37
- message << " missing required keys: #{missing_keys.inspect}" if name
36
+ message = "No route matches #{Hash[constraints.sort].inspect}"
37
+ message << " missing required keys: #{missing_keys.sort.inspect}" if name
38
38
 
39
39
  raise ActionController::UrlGenerationError, message
40
40
  end
@@ -77,12 +77,32 @@ module ActionDispatch
77
77
  end
78
78
  end
79
79
 
80
- class OptimizedPath < String # :nodoc:
80
+ class OptimizedPath < Visitor # :nodoc:
81
+ def accept(node)
82
+ Array(visit(node))
83
+ end
84
+
81
85
  private
82
86
 
83
- def visit_GROUP(node)
84
- ""
85
- end
87
+ def visit_CAT(node)
88
+ [visit(node.left), visit(node.right)].flatten
89
+ end
90
+
91
+ def visit_SYMBOL(node)
92
+ node.left[1..-1].to_sym
93
+ end
94
+
95
+ def visit_STAR(node)
96
+ visit(node.left)
97
+ end
98
+
99
+ def visit_GROUP(node)
100
+ []
101
+ end
102
+
103
+ %w{ LITERAL SLASH DOT }.each do |t|
104
+ class_eval %{ def visit_#{t}(n); n.left; end }, __FILE__, __LINE__
105
+ end
86
106
  end
87
107
 
88
108
  # Used for formatting urls (url_for)